Archive for November, 2012

Recently, the website “Hoax Slayer” pointed us to a spammed email message that warns users of a Tsunami and encourages them to click on a link to watch a video. The article, which the cybercriminals made to look like it came from “news.com.au”, claims that experts have predicted that a Tsunami will hit Australia on New Year’s Eve.

The “watch now” link connects to {BLOCKED}be.us and downloads a file that pretends to be an AVI in a ZIP archive. In actual, “sunami_australian_agency_of_volcanology_and_seismology.avi.pif is a malicious file which Trend Micro detects as BKDR_DOKSTORMC.A.

Based on our analysis, this backdoor connects to {BLOCKED}s117.no-ip.org, which resolved to {BLOCKED}.{BLOCKED}.13.114 (but currently resolves to {BLOCKED}{BLOCKED}.116.223). It remains unclear who is behind the attack and what the motivation may be.

The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00. However, there are many forum posts complaining that the said RAT is overpriced. There are also free cracked versions available for download from a variety of sources.

Arcom RAT was reportedly authored by “princeali” who has been actively coding RATs and malware for about a decade. The alias “princeali” is connected to a group known as NuclearWinterCrew which created the infamous NuclearRAT.

Ransomware has become major concern among users, particularly those variants that mimic law enforcement agencies like the FBI (known as police ransomware). Certain features have also been incorporated into the threat recently, such as an audio file and just now, fake digital certificates.

We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR. According to senior threat researcher David Sancho, the digital signature’s name and its issuing provider are very suspicious. Sancho believes that the fake signature’s sole purpose is likely to elude digisig checks.

Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability.

Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet.

Who goes on a shopping frenzy when seeing low-priced electronics and houseware just in time for the gift-giving season? Obviously a lot of people, as evidenced by the $1.25 billion total online spending seen on Cyber Monday last year, the heaviest in U.S. history. This year, entrepreneurs and consumers anticipate another record-breaking Cyber Monday as the holiday season approaches.

What’s more is that this online holiday shopping explosion is slowly spreading across the world. In Australia, a one-day online sale, Click Frenzy, is about to kick off Christmas shopping for the first time. At around the same time as Cyber Monday, online retailers in China offer large discounts on November 11, Singles Day.

Popular price comparison site, PriceGrabber, predicts that almost two in 10 consumers will shop using a mobile device—and of those mobile shoppers, seven in 10 will actually buy something! Building on the popularity of online shopping, mobile shopping is steadily catching on as a convenient and profitable trend.

Deal Breakers

How easy is it to shop on your mobile device? A few steps are all it takes to find a deal and buy it. But risks lie in the nicks and cracks where threat actors can butt in and pretend they care about getting you your product. You might not know it yet, but simply using free Internet connection or clicking paid search links can get you and your financial information into a lot of trouble.

Even now, we are already seeing product fraud and fake offers that use the US holiday, Black Friday, on spammed messages. Like last year’s fake Black Friday and Cyber Monday discount offers that led to malware, we believe cybercriminals will take advantage of this year’s Cyber Monday.

Risks Not Taken

It’s a good thing you’re not entirely powerless against these mobile sniffing dogs. To help you take advantage of online deals minus the fear of information theft, we make sure you are safe every step of the way.

Go straight to the source for the best deals in town. Deal aggregator apps are convenient, but make sure to download them direct from their developer’s webpages. This eliminates the chances of you downloading a fake app riddled with malicious code.

Beware of mobile adware. You may end up getting swindled by one if you’re not careful. A security app like Trend Micro™ Mobile Security Personal Edition can detect these for you.

Paying a fee is safer than getting Wi-Fi access for free. Be cautious with connecting to unsecured, ‘free’ Wi-Fi networks, as you may end up giving your personal information away to cybercriminals.Connect to legitimate, secured networks instead, even if it means paying a fee. Your privacy is worth it.

There is another reason why users should be wary of downloading files from file sharing sites – they host PASSTEAL variants. PASSTEAL, as you may recall, are malware using password recovery tools to steal information stored in Internet browsers. This technique is a deviation from previous infostealers that log keystrokes to gather data from infected systems.

Using feedback from the Trend Micro Smart Protection Network™, we found that several PASSTEAL malware use social engineering lures such as variants disguised as key generators for paid applications or are bundled with tampered paid-installer application as shown below:

This indicates that PASSTEAL authors’ are targeting file sharers and downloaders who frequently use BitTorrent or visit file hosting sites to get hold of illegal copies of software. Other variants were also found disguised as e-book versions of popular Young Adult (YA) novels.

In many enterprises today, guarding against data breaches and targeted attacks is one of the top concerns of IT administrators. One of the things that administrators guard against is reconnaissance and targeting of any potential high-value personnel who may fall victim to a targeted attack. A less obvious source of information leakage, however, is the humble out-of-office notification.

Consider what the typical content of an out-of-office notification is. It will have a brief explanation of why the respondent is out of the office, who the sender can alternately contact instead, and an estimate of when they will return to the office. It may also include the user’s email signature, if he has one.

Individually, this may not be a great deal of information. However, it is easy for would-be attackers to gather multiple out-of-office notifications. Based on our research into spear-phishing (the findings of which will be released in an upcoming paper), the e-mail addresses of about half of all spear-phishing recipients can be found online using Google. In many cases, corporate e-mail addresses follow a predictable firstname_lastname@companyname.com format as well; this makes many addresses “known” so long as an employee’s name is known.

The approaching holidays gives would-be attackers a great opportunity to carry out this attack. In the United States, many workers will be on a long vacation over the Thanksgiving holiday. Later in the year, the Christmas/New Year period will see a similar opportunity – on an even larger scale.